Extending Security with Oracle Database Vault by Joel Goodman

Database Vault is an extra cost option(but SOX needs, recent incedents in UK)

Protection from insider threat(fat priviliges all around)

compliant seperation of duties(sysadm-sysoper-sysasm etc.)

DV is transparent to appl.s, and does not access acess paths, but performance overhead there because of extra checks

DV will require more HR to take the full adv.s

Concept of "hr dba" and "sales dba" : use realms and rule sets together to implement seperation of duties

Database Vault Owner : DVO is a dba, but not a member of the dba team mostly a member within security team
Assisgn DVO and SYS to different staff.

Audit DV realms.

SYS get ORA-02031 - insufficient privileges :) 

DV versus VPD(Virtual Private Database) and OLS(Oracle Label Security)

Access control components : realms - factors - identifiers - rule sets - command rules - secure appl.roles

Secure Appl.Roles is a part of DV now.

for 10.2.0.3 DV is a seperate installation

dvca : configuration assistant

to disable DV : shutdown all instances > relink Oracle exec.s > startup all instances > disable DV with dvca on all enabled instances
to enable again : revert all the steps above, but better is not to forget dv account passwords :)

dv gui : like DB control; http://host:1158/dva - for management and administration
also dvsys.dbms_macadm / dvsys.dbms_macsec / dvsys.dbms_macutl APIs